examlab .net The most efficient path to the most valuable certifications.
Support
In this note ≈ 25 min

CloudTrail, AWS Config, and Operational Dashboards

5,000 words · ≈ 25 min read ·

DOP-C02 deep dive on CloudTrail trails, Lake, Insights, S3 data events, AWS Config rules and conformance packs, multi-account aggregator, drift detection, and integrated dashboards with QuickSight, Athena, and Security Hub.

Do 20 practice questions → Free · No signup · DOP-C02

CloudTrail and AWS Config audit dashboards form the compliance and governance layer of every DOP-C02 monitoring scenario. Where CloudWatch sees the metric, X-Ray sees the request, CloudTrail sees the API call ("who did what to which resource when") and Config sees the resource configuration history ("what did this resource look like at every point in time"). Together they answer the auditor's questions, the security investigator's questions, and the DevOps engineer's "what changed?" question after an unexpected outage. DOP-C02 expects you to design organization trails, query CloudTrail Lake with SQL, distinguish data events from management events, build Config rules and conformance packs at scale, aggregate Config across accounts, integrate with Security Hub, detect CloudFormation drift, and wire the whole thing into auto-remediation chains via EventBridge and SSM Automation.

This guide assumes you understand basic CloudTrail (it logs API calls) and basic Config (it tracks resource configuration). It focuses on the DOP-C02 implementation depth: organization trail vs single-account trail, multi-Region trail design, management events vs data events vs Insights events with their pricing implications, CloudTrail Lake as the SQL-queryable replacement for "ship to S3 then query with Athena", S3 data events for object-level audit, Config rules (managed vs custom), conformance packs for templated rule bundles, multi-account Config aggregator for the central compliance view, CloudFormation drift detection for IaC governance, Control Tower drift for landing-zone hygiene, integration with Security Hub for unified findings, KMS encryption of trails and Config history, and the QuickSight + Athena dashboard pattern for executive reporting. Domain 4.2 (audit, monitor, analyze) and Domain 6.3 (security monitoring and auditing) cover this material.

Why CloudTrail and Config Audit Dashboards Matter on DOP-C02

DOP-C02 is structurally a multi-domain exam. Monitoring (15 percent), Incident Response (14 percent), and Security and Compliance (17 percent) all share the same audit substrate. CloudTrail and Config are the two services that show up in every "who changed what" stem, every "is this resource compliant" stem, and every auto-remediation chain. If you misread a CloudTrail vs Config stem, you can lose multiple questions across domains.

The exam style here is service disambiguation under pressure. Multiple community study reports flag "CloudTrail vs Config vs Trusted Advisor vs GuardDuty vs Inspector" as one of the top trap zones. CloudTrail tells you who called the API. Config tells you how the resource is configured now and historically. They are not interchangeable. A typical DOP-C02 stem reads: "An auditor needs proof that no S3 bucket has been public-read for the past 90 days." Wrong answers offer GuardDuty (a threat-detection service) or CloudTrail Insights (anomaly detection on API rates). The right answer is AWS Config rule s3-bucket-public-read-prohibited with historical configuration history stored in S3 for proof, optionally aggregated across accounts.

  • CloudTrail trail: a configuration that captures API events and ships them to S3, CloudWatch Logs, and/or EventBridge.
  • Management events: control-plane API calls (CreateBucket, RunInstances). Free for one trail, paid for additional.
  • Data events: data-plane API calls (S3 GetObject, Lambda Invoke). Always paid; off by default.
  • Insights events: anomaly detection on management API call rates and error rates.
  • CloudTrail Lake: a managed event data store that lets you query CloudTrail events with SQL, without setting up Athena.
  • Organization trail: a trail that captures events from every account in an AWS Organization with one configuration.
  • AWS Config: continuous configuration recording for AWS resources with rule-based compliance evaluation.
  • Config rule: an evaluation that flags resources as COMPLIANT or NON_COMPLIANT, either AWS-managed or custom (Lambda or Guard).
  • Conformance pack: a YAML-defined collection of Config rules and remediation actions deployable across accounts.
  • Config aggregator: a single account view of Config data from many accounts and Regions.
  • CloudFormation drift detection: an on-demand check comparing the deployed stack resources to the template.
  • Control Tower drift: drift in landing-zone guardrails (mandatory and elective) detected and surfaced in the Control Tower console.
  • Security Hub: a service that aggregates findings from Config, GuardDuty, Inspector, Macie, and partner products into one console with severity scoring.
  • Reference: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html

Plain-Language Explanation: CloudTrail and AWS Config Audit Dashboards

The audit-and-compliance corner is genuinely confusing because four AWS services overlap functionally. Three analogies sort them out.

Analogy 1: The Bank — Camera Footage, Vault Inventory, Suspicious Activity Reports

A bank runs three different audit systems. Security camera footage records who walked into the vault, opened which drawer, and at what time. That is CloudTrail — a continuous record of who did what API call. Vault inventory is taken every hour: a snapshot of every safe deposit box's contents and lock state. That is AWS Config — point-in-time snapshots of resource configuration. Suspicious activity reports are filed when an unusual pattern is detected: a teller making 200 transactions in 5 minutes, a customer withdrawing larger sums than usual. That is CloudTrail Insights — anomaly detection over the camera footage. When the auditor asks "did anyone access drawer 47 last Tuesday at 3am", the answer is in the camera footage (CloudTrail). When the auditor asks "was drawer 47 ever left unlocked over the past 90 days", the answer is in the vault inventory history (Config). When the auditor asks "is anything weird going on right now", the answer is in suspicious activity reports (Insights). DOP-C02 tests that you reach for the right system for each question.

Analogy 2: The Construction Site — Logbook, Blueprints, Inspector Checklists

A construction site has a daily activity logbook (CloudTrail) — every contractor who arrived, what they signed for, what tools they checked out. A set of as-built blueprints (Config) — kept current with every wall, pipe, and wire as it actually exists in the building. Inspector checklists (Config rules and conformance packs) — every quarter, the safety inspector walks through and ticks "fire exit unblocked? sprinkler heads installed every 3m? exit signs lit?". When the inspector finds a violation, they leave a sticker (a non-compliant Config rule finding) and the site supervisor must remediate. The drift detection is when someone moves a wall without updating the blueprints — an unauthorized modification. Multi-account aggregator is the head office's master view across all 50 active sites. Conformance packs are the standardized inspector checklists shipped from head office to every site (a Config conformance pack template deployed via CloudFormation StackSets).

Analogy 3: The Hospital — Medical Records, Patient Charts, JCAHO Audit

A hospital keeps medical records (CloudTrail) of every action: medication administered, procedure performed, by which staff. Patient charts (Config) are the current state — temperature, vital signs, allergies, diagnosis. The JCAHO accreditation audit is a recurring evaluation: are doctors washing hands? Are charts updated within 4 hours? Are controlled substances locked? Each criterion is a Config rule. The accreditation team's standard checklist is a conformance pack. When a patient deteriorates, the medical record (CloudTrail) tells you exactly which medications were given by whom. The chart history (Config history) tells you when vital signs first became abnormal. CloudFormation drift detection is the hospital's audit catching cases where someone changed the patient's diagnosis on the chart without going through the official update process — an out-of-band edit.

For DOP-C02 stems centered on "who called the API", reach for bank camera footage = CloudTrail. For stems centered on "is this resource compliant" or "what did the resource look like 30 days ago", reach for vault inventory = Config. For stems centered on "find unusual API activity automatically", reach for suspicious activity report = CloudTrail Insights or GuardDuty. Reference: https://docs.aws.amazon.com/config/latest/developerguide/WhatIsConfig.html

CloudTrail Trail Anatomy

A trail captures events with three categories:

Management events

Control-plane operations: CreateBucket, DeleteBucket, RunInstances, AssumeRole. One trail per account is free for management events; additional trails are paid. By default, trails capture both read-only (Get*, List*, Describe*) and write-only events; you can filter to one or the other.

Data events

Data-plane operations: s3:GetObject, s3:PutObject, lambda:Invoke, dynamodb:GetItem. Always paid. Off by default. Data events are extremely high volume (an S3 bucket can have millions per day), so configure carefully — use bucket prefixes, function name filters, and resource ARN inclusion lists.

Insights events

Anomaly detection on management API call rate and error rate. Detects unusual spikes in RunInstances, AssumeRole, etc. Insights events themselves are billed and must be explicitly enabled. Useful for catching credential compromise (sudden burst of API calls from a new principal).

Trail destinations

A trail can deliver to S3 (always), CloudWatch Logs (optional, for queries and alarms), and EventBridge (default bus, automatic for management events). The S3 bucket should have:

  • KMS encryption (customer-managed key for compliance).
  • S3 Object Lock with governance/compliance retention if regulators require WORM.
  • A bucket policy preventing deletion by anyone except a break-glass role.
  • Cross-account replication to a log archive account.

Organization Trails — One Configuration, Whole Org

Configured at the management account, an organization trail automatically applies to every member account, including new accounts as they join. This is the right answer for "centralized audit logs across the organization". A common DOP-C02 trap: candidates pick "create a trail in each account and aggregate via S3 replication". Wrong — use organization trails.

CloudTrail Lake — SQL Queries Without Athena

CloudTrail Lake is a managed event data store where CloudTrail events are stored in a structured format and queried with SQL directly through the CloudTrail console or API. Replaces the "ship to S3 then query with Athena" pattern when you want one less moving part. Pricing is per ingested event and per scanned data; retention up to 7 years. Lake also accepts non-AWS events via a custom integration (e.g., third-party SaaS audit logs).

A common DOP-C02 trap: a stem describes 50 member accounts, each with its own trail, plus an organization trail at the management account. The team sees double-counted events and high cost. The fix is to delete the per-account trails and rely solely on the organization trail. Per-account trails were needed before organization trails existed; for any modern setup, organization trail is the single source of truth. Reference: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html

CloudTrail Insights

Insights detects API call rate and error rate anomalies on management events. Common findings:

  • Unusual burst in ConsoleLogin failures (potential brute force).
  • Unexpected spike in RunInstances (compromised credentials cryptomining).
  • Surge in AssumeRole failures (misconfigured automation or attack).

Insights findings are emitted as CloudTrail Insights events on the trail and to EventBridge, where they can route to SNS, Lambda, or Incident Manager. Insights does not cover data events.

AWS Config — Continuous Configuration Recording

Config records resource configuration as a series of configuration items (CIs): every state change to every supported resource (EC2, S3, IAM, RDS, etc.). Each CI is a JSON snapshot timestamped to the change. The configuration timeline lets you see "what did this S3 bucket look like on Tuesday at 14:32".

Config rules

A Config rule evaluates resources for compliance. Two kinds:

  • Managed rules: ~250 AWS-provided rules covering common compliance checks (s3-bucket-public-read-prohibited, iam-password-policy, restricted-ssh).
  • Custom rules: backed by Lambda (any logic you write) or AWS Config Custom Policy rules using AWS CloudFormation Guard language (declarative, no Lambda).

Triggers can be configuration change (evaluate when the resource changes) or periodic (every 1, 3, 6, 12, or 24 hours).

Conformance packs

A YAML template bundling multiple rules and remediation actions. Examples:

  • Operational-Best-Practices-for-PCI-DSS
  • Operational-Best-Practices-for-HIPAA-Security
  • Operational-Best-Practices-for-Amazon-S3

Deploy a conformance pack to many accounts via CloudFormation StackSets or directly through Config's organization-deployment API.

Multi-account aggregator

An aggregator consolidates Config data from many accounts and Regions into a central account, enabling cross-account compliance dashboards and search. Set it up once in the audit/security account; new member accounts can be auto-added if you use Organizations integration.

Config rule triggers:

  • Configuration change: evaluates the resource immediately on a configuration item change. Right for high-priority drift detection.
  • Periodic: evaluates every 1, 3, 6, 12, or 24 hours. Right for rules that don't have an obvious configuration trigger (e.g., checking IAM credential age, which doesn't generate a CI on its own). Conformance pack deployment scope: single account, single Region by default. Org-wide deployment uses Organizations + delegated administrator. Multi-Region requires deploying the pack in each Region (Config is regional). Aggregator is regional too — for global view, run it in each Region or use cross-Region aggregator. Reference: https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html

Auto-remediation

Each non-compliant finding can trigger an SSM Automation document to remediate. Examples:

  • Non-public S3 bucket detected → run AWS-DisableS3BucketPublicReadWrite.
  • Non-encrypted EBS volume → run a custom document that snapshots and rebuilds with encryption.
  • Public security group ingress on port 22 → run AWS-DisablePublicAccessForSecurityGroup.

Remediation can be automatic or manual (requires human approval); set per rule.

CloudFormation Drift Detection

Drift detection compares the current resource state to the template-defined state, surfacing differences. Drift can occur when:

  • An engineer makes manual console changes to a managed resource.
  • A separate IaC tool modifies the resource.
  • A Lambda runs an SDK call that changes resource config.

Drift detection is on-demand — it does not run continuously. Schedule it via EventBridge Scheduler weekly, or via a Config rule (cloudformation-stack-drift-detection-check). When drift is found, options:

  • Update the template to match (codify the drift).
  • Manually correct the resource.
  • Delete and redeploy from template.

Control Tower Drift

Control Tower has its own drift concept covering landing-zone-level changes:

  • Removed mandatory guardrail.
  • Disabled CloudTrail organization trail.
  • Modified shared services account.
  • New OU created outside Control Tower.

Control Tower drift is surfaced in the dashboard and as EventBridge events. Remediation is via the Reset action which restores guardrails.

Integrating with Security Hub

Security Hub aggregates findings from Config, GuardDuty, Inspector, Macie, IAM Access Analyzer, and partners (CrowdStrike, Palo Alto, etc.). It applies a normalized severity scoring and supports standards like:

  • AWS Foundational Security Best Practices (FSBP)
  • CIS AWS Foundations Benchmark
  • PCI DSS

Standards translate to a set of Config rules under the hood; Security Hub displays the unified findings. The exam tests that you know Security Hub is the central console, not a parallel detector — it doesn't generate findings itself, it aggregates.

Athena and QuickSight Dashboards

For long-term audit dashboards, the standard pattern:

  1. CloudTrail logs in S3 with Apache Parquet conversion (via Firehose or scheduled Glue ETL).
  2. Glue Data Catalog tables for CloudTrail logs and Config snapshots.
  3. Athena saved queries for common questions (top API callers, public S3 buckets, IAM policy changes).
  4. QuickSight dashboard reading from Athena for executive view.

Alternative: CloudTrail Lake with built-in dashboards, no Athena/Glue setup needed.

KMS Encryption

CloudTrail trail S3 destination should use a customer-managed KMS key. The key policy must allow cloudtrail.amazonaws.com to encrypt and the audit account principals to decrypt. Config history bucket follows the same pattern. For multi-account setups, a single shared KMS key in the audit account simplifies cross-account decryption.

High-Frequency Exam Traps

Trap 1: CloudTrail vs Config Confusion

CloudTrail = API call audit (who, what, when). Config = resource configuration history (how does it look). Distractor: "use CloudTrail to verify no public S3 buckets exist" — wrong; that is Config.

Trap 2: Data Events Are Off by Default

S3 GetObject and Lambda Invoke require explicit data event configuration. Default trails don't capture them. Distractor: "CloudTrail logs all S3 access by default" — false.

Trap 3: One Trail Per Account is Free for Management Only

Additional trails or data events are paid. The exam's cost-optimization questions test that you know default trail covers management events without extra charge.

Trap 4: Organization Trail Cannot Be Modified by Member Accounts

Member accounts cannot disable, delete, or modify an organization trail. This is the security guarantee. Distractor: "member account admin disables CloudTrail" — they cannot for the org trail.

Trap 5: Config Aggregator Is Regional

Aggregator consolidates per Region. For a global single-pane view, replicate the aggregator in every Region or use cross-Region aggregation features.

Trap 6: Conformance Pack Cannot Auto-Remediate Without Permissions

Remediation actions require an IAM role with permissions to run the SSM document. The conformance pack must reference an existing role, not create one.

Trap 7: CloudFormation Drift Is On-Demand, Not Continuous

Drift detection does not auto-run. Distractor: "drift detection alerts you immediately when someone modifies a stack resource" — false; you must schedule.

A DOP-C02 distractor offers Security Hub as the source of compliance findings. Security Hub aggregates findings from Config, GuardDuty, Inspector, Macie, etc., applying normalized severity. The actual finding originator is the underlying service. The right pattern: enable the relevant Config rules / GuardDuty / Inspector, then enable Security Hub standards to consolidate. Picking only Security Hub without enabling the upstream services results in an empty console. Reference: https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html

DOP-C02 Exam Patterns and Worked Scenarios

Scenario 1: Centralized Multi-Account Audit Logs

Stem: "50 accounts in an Organization need centralized API audit." Right: organization trail in management account, S3 in audit account with KMS, CloudTrail Lake event data store also in audit account for SQL queries. Wrong: per-account trails with S3 replication.

Scenario 2: Detect Public S3 Buckets Across Org

Stem: "Auditor needs continuous proof no S3 buckets are public-read." Right: Config rule s3-bucket-public-read-prohibited deployed via conformance pack (or directly), aggregated to audit account via Config aggregator. Auto-remediate via SSM Automation AWS-DisableS3BucketPublicReadWrite.

Scenario 3: Investigate a Suspicious Resource Change

Stem: "An RDS DB parameter group changed unexpectedly last Tuesday." Right: query CloudTrail Lake for eventName="ModifyDBParameterGroup" filtered to that resource and date; cross-reference with Config configuration history to see the before-after parameter values.

Scenario 4: Detect Unusual API Activity from Compromised Credential

Stem: "Detect when a long-dormant IAM access key suddenly makes hundreds of RunInstances calls." Right: CloudTrail Insights flagging the management API call rate anomaly; route Insights events to EventBridge → SNS → on-call.

Scenario 5: Drift in IaC-Managed Stack

Stem: "Engineers occasionally tweak resources via console, breaking IaC source-of-truth." Right: schedule weekly CloudFormation drift detection via EventBridge Scheduler; on drift detected, EventBridge rule routes to Lambda that opens an OpsCenter OpsItem; engineer reviews and either codifies or reverts.

DOP-C02 exam priority — CloudTrail and AWS Config Audit Dashboards for DevOps Compliance. This topic carries weight on the DOP-C02 exam. Master the trade-offs, decision boundaries, and the cost/performance triggers each AWS service exposes — the exam will test scenarios that hinge on knowing which service is the wrong answer, not just which is right.

FAQ

Q1: When do I use CloudTrail Lake vs Athena over CloudTrail S3 logs?

Lake for low setup cost, fast SQL queries, up to 7 years retention without lifecycle plumbing, and support for non-AWS events. Athena for cost optimization at very large scale (Parquet on S3 is cheaper per TB scanned), or when you already have an Athena-based data lake to integrate with.

Q2: How do I detect "someone modified a Lambda function manually"?

Two paths: CloudTrail captures the UpdateFunctionConfiguration API call with the principal. Config captures the configuration item change with before/after state. Use both — CloudTrail for who, Config for what.

Q3: Should I enable CloudTrail data events on every S3 bucket?

No — data events are very high volume and expensive. Enable only for sensitive buckets (financial records, PII, audit logs themselves). Use AWS-managed S3 advanced data events with prefix filters to scope to specific keys.

Q4: How do conformance packs differ from Security Hub standards?

Conformance packs are Config rule bundles with optional remediation, deployable per account or org-wide. Security Hub standards translate to Config rules under the hood and present results in the Security Hub console with normalized severity. They overlap; many teams enable both.

Q5: Can I prevent CloudFormation drift entirely?

Not entirely without process discipline. Layer the controls: SCPs denying console writes for production accounts, Config rules detecting drift, CloudFormation drift detection scheduled weekly, Service Control Policies limiting which IAM roles can modify resources outside CloudFormation. The exam wants you to know drift cannot be hard-prevented at the API layer for all changes; detection + remediation is the realistic answer.

Q6: How do I retain CloudTrail logs for 7 years for compliance?

S3 lifecycle to Glacier Flexible Retrieval or Deep Archive. Object Lock in compliance mode to prevent deletion. Or use CloudTrail Lake which natively supports up to 7 years.

Q7: What's the difference between Control Tower drift and CloudFormation drift?

Control Tower drift is at the landing zone layer — removal of mandatory guardrails, disabled organization trail, modifications to managed OUs and accounts. CloudFormation drift is at the stack layer — individual resource modifications. Both are surfaced via EventBridge for automation.

Cross-References

  • CloudWatch metrics and Logs Insights complement CloudTrail with metric-based alarms and log queries; see cloudwatch-metrics-logs-insights.
  • CloudWatch alarms and EventBridge consume CloudTrail and Config events for routing; see cloudwatch-alarms-eventbridge-integration.
  • EventBridge auto-remediation runbooks cover the Config + SSM Automation remediation chain in depth; see eventbridge-auto-remediation-runbooks.
  • Incident Manager and AWS Health consume CloudTrail Insights events for response plan triggers; see systems-manager-incident-manager-health.
  • Deployment failure troubleshooting uses CloudTrail to identify which deployment API call caused a failure; see deployment-failure-troubleshooting.

Official sources

More DOP-C02 topics